Consider notifying any affected customers or suppliers

The incident management team should carry out an "impact assessment" to consider the risks of the IT failure for customers and/or suppliers. You may consider:

  • the importance of any lost data
  • the potential effects of the lost data on you, your customers and your suppliers
  • the likelihood and timeframe of recovering any lost data
  • the level of service that you are currently able to provide
  • the potential effects of the reduced service on you, your customers and your suppliers
  • the expected timeframe for rectifying the IT systems failure
  • your ability to meet any obligations to your customers or suppliers

Any notification of the situation to customers or suppliers should have a clear purpose.  Consider relevant contextual factors, such as:

  • are you contractually obliged to notify?
  • can notifying assist customers or suppliers to mitigate/manage any risk?
  • are there dangers in "over-notifying"?
    • this may become an issue if notification would serve no practical purpose, or have a disproportionate impact on the people notified, compared to the likely consequences of the IT failure. For example, if the lost data can be restored or only a  small amount of insignificant data is involved and you are able to meet your obligations
  • take care over the form of notification. The notification often includes how and when the IT systems failure occurred, what data was involved and your organisation's response. The notification should seek to avoid any acknowledgement of legal responsibility for the failure, or of any relevant breach of contract or law
If the IT systems failure has led to a loss of personal data, see A loss or theft of personal data.